Skip to content

feat: container security — runtime threat detection (ops) #16

Description

@ms280690

Context

Stage: Runtime / Ops
Tool: falco
Parent: (see container security parent issue)

Why falco

falco is the only CNCF-graduated eBPF/syscall runtime security tool:

  • Monitors every syscall made by every container in the cluster in real time
  • Detects runtime threats that static analysis cannot see: unexpected shell spawns inside containers, privilege escalation attempts, unexpected network connections, reads from /etc/shadow, writes to /proc, unexpected process execution
  • eBPF driver runs in kernel space — zero container modification, no sidecar injection
  • 200+ default detection rules aligned to MITRE ATT&CK container tactics
  • Integrates with Wazuh (Step 9) via falcosidekick → forwards alerts to SIEM for correlation

Static scanners (trivy, grype, hadolint) detect known vulnerabilities and misconfigurations at build time. falco detects exploitation of those vulnerabilities and novel attacks at runtime.

GitHub Actions workflow scope

The Runtime/Ops context does not run as a PR gate — falco operates as always-on cluster infrastructure. The GitHub Actions workflows in this issue cover:

  1. Lint and validate falco rules on PRs that modify .falco/ or falco-rules/ — catches YAML syntax errors and unknown fields before deployment
  2. Deploy / update falco via the falco Helm chart on merge to main (deployment workflow)

falco-rules-lint.yml — PR gate

name: Falco Rules Lint
on:
  workflow_call:
    inputs:
      rules-dir:
        description: 'Directory containing custom falco rules files'
        default: '.falco'
        type: string

Uses falco --validate (dry-run) to parse custom rules files and report errors without needing a running kernel driver.

falco-deploy.yml — deployment workflow

name: Falco Deploy
on:
  workflow_call:
    inputs:
      cluster-name:
        description: 'EKS cluster name'
        required: true
        type: string
      falco-chart-version:
        description: 'falco Helm chart version to deploy'
        default: '4.x'
        type: string
      rules-dir:
        description: 'Directory containing custom falco rules to include'
        default: '.falco'
        type: string

Deploys or upgrades falco via helm upgrade --install, mounting custom rules from the consuming repo's .falco/ directory as a ConfigMap.

Consuming repo usage

# .github/workflows/falco-deploy.yml
name: Deploy Falco
on:
  push:
    branches: [main]
    paths:
      - '.falco/**'
      - 'infrastructure/falco/**'
jobs:
  deploy:
    uses: sparkgeo/github-actions/.github/workflows/falco-deploy.yml@main
    with:
      cluster-name: prescient-prod
      falco-chart-version: '4.x'
      rules-dir: .falco

Falco + Wazuh integration (cross-ref Step 9)

Configure falcosidekick to forward falco alerts to the Wazuh SIEM:

# falcosidekick values (in consuming repo's falco Helm values)
falcosidekick:
  enabled: true
  config:
    webhook:
      address: "http://wazuh-manager:55000/falco"

This integrates falco runtime alerts with the SIEM correlation rules in Step 9, enabling detection of:

  • Container escape attempts (syscall anomalies → Wazuh alert)
  • Unexpected outbound connections from containers (NDR cross-ref Step 13)
  • Privilege escalation inside containers (IAM cross-ref Step 21)

Key detection categories

Category Example falco rule MITRE ATT&CK
Shell in container spawned_process inside a non-shell image T1059
Privilege escalation setuid binary execution T1548
Credential access Read from /etc/shadow or /root/.aws T1552
Exfiltration Unexpected outbound connection on non-standard port T1041
Persistence Write to /etc/cron.d from container T1053

Metadata

Metadata

Assignees

Labels

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions